EP189 How Google Does Security Programs at Scale: CISO Insights

Guest:

• Royal Hansen, CISO, Alphabet

Topics:

• What were you thinking before you took that “Google CISO” job?

• Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations?

• Are there any specific challenges or advantages that arise from operating at such a massive scale?

• What has been most surprising about Google’s internal security culture that you wish you could export to the world at large? 

• What have you learned about scaling teams in the Google context?

• How do you design effective metrics for your teams and programs?

• So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here?

Resources:

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• CISA Secure by Design

• EP20 Security Operations, Reliability, and Securing Google with Heather Adkins

• EP91 “Hacking Google”, Op Aurora and Insider Threat at Google

• “Delivering Security at Scale: From Artisanal to Industrial”

• SRE book: CHapter 5: Toil Elimination

• SRS book: Security as an Emergent Property

• What are Security Invariants?

• EP185 SAIF-powered Collaboration to Secure AI: CoSAI and Why It Matters to You

• “Against the Gods - Remarkable Story of Risk” book